AVIRA and BD detect by file size?!

Hi guys~


Yesterday i discover an interesting phenomenon!
The detail picture is about the sample property
Please do pay attention to the last number(271995)
http://farm4.static.flickr.com/3082/2835442818_fc90e8efe3_o.png

BitDefender reports:Trojan.Generic.74723
http://farm4.static.flickr.com/3213/2835479372_0af6dc46fc_o.png

AVIRA report:TR/Agent.271995
http://farm4.static.flickr.com/3107/2834356088_1a34695fda_o.png

All is false positive!
These two vendors report false alarm while the file is clean
After i edit the file size(the file is a self-extracting document) or decompress
It then i use AVIRA and BD to rescan it once again,they do not detect it anymore

My dear friend tested it using other AVs,many of them get a false alarm
While edit the file size of the sample or decompress it,they all found nothing

thanks

 

Maybe you could upload your samples to VirusTotal.com or virusscan.jotti.org to check with multiple AV products.

The only reason I can think of is, over-zealous Heuristics. But that's my best guess...

 

Hi vijayind thank you for you reply

Sample i don`t want upload to VT or VT like web site
Because these vendors if get my sample,will certain to fix.

 

If I interpreted this message correctly, you don't want to send the sample to Virustotal because if you did that, the vendors would fix the false positives immediately. But why would you not want them to fix it?

 

This is most probably caused by 'static detection'.
https://www.wilderssecurity.com/showpost.php?p=1279568&postcount=7

Cheers

 

Hello Firecat

Just curious!
If I know the answer,i certainly will report this sample

 

I Would just submit it. could be a glitch that needs to be fixed for all you know.

 

well, your choice.
I am using KIS 2009 on my laptop right now. No FP here.
http://picfu.com/link/52664/3e5c4ce59446b20c

 

Also keep in mind depending what is compiled with it could also be seeing a Backdoor in the compile of a program. if Im reading you right

 

Other vendors report:
Asquared :Trojan.Generic
Ikarus:Trojan.Generic
Norman:Trojan Smalltroj.BSXG
Norton:Trojan Horse
QuickHeal:TrojanDownloader.Agent.efy
TheHacker:Trojan/Downloader.Agent.efy
VBA32:infected Trojan-Downloader.Win32.Agent.efy
VirusBuster:Trojan.Agent.DZIW

Has nothing to do with the file size...
I thank unpack engine have some problem.

 

Lawliet, how do you know this file is a FP ?

 

I analyze have not had any malicious behavior
Sample only folder and ini file inside,no any exe/dll file

 

The file size has nothing to do with it.

When you change the filesize you change the signature of the file. Just report the file so they can remove the false positive

 

it depends what is that .ini file containing.

 

sorry:-can't believe what I'm reading here!

 

+1 - WTH is the point of this post?

 

Yeah, an easy way to goof up COM, BAS, and a few others IN WIN 9X ONLY, is to turn on Wordwrap in Notepad and in Wordpad. It screws up the viral code's format. Try it with EICAR on a 9x box.

 

Avira, Problem? Blasphemy!!!!

Dont ever, question, their ability and capability.

HE IS BACK!!!!!

 

..a junior malware writer, maybe?

 

I'd say the whole point was that you should report false positives to AV vendors to get them fixed. If you attitude is like

then you can as well do everyone else a service and keep your mouth shut instead.

 

Sorry, it isnt in my blood.

 

There was no flourish. All stage presentations use a flourish! Or cheasy music.

 

I can't believe he won't send the samples off because it seems he doesn't want the problem he has or thinks he has identified sorting out!

 

This thread as ran its coarse for sure now. its just going aimlessly into the wind.

 

What I wonder is how the original poster came to the conclusion that Avira and BitDefender detect malware based on file sizes (as suggested in the topic of this thread)? I don't see much logic or any proof in his posting.